2022-07-27 19:51:53 +08:00
|
|
|
/****************************************************************************
|
|
|
|
* crypto/cast.c
|
|
|
|
* $OpenBSD: cast.c,v 1.4 2012/04/25 04:12:27 matthew Exp $
|
|
|
|
*
|
|
|
|
* CAST-128 in C
|
|
|
|
* Written by Steve Reid <sreid@sea-to-sky.net>
|
|
|
|
* 100% Public Domain - no warranty
|
|
|
|
* Released 1997.10.11
|
|
|
|
****************************************************************************/
|
2022-07-18 15:00:30 +08:00
|
|
|
|
2022-07-27 19:51:53 +08:00
|
|
|
/****************************************************************************
|
|
|
|
* Included Files
|
|
|
|
****************************************************************************/
|
2022-07-18 15:00:30 +08:00
|
|
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/systm.h>
|
|
|
|
#include <crypto/cast.h>
|
2022-10-22 15:50:43 +08:00
|
|
|
#include "castsb.h"
|
2022-07-18 15:00:30 +08:00
|
|
|
|
|
|
|
/* Macros to access 8-bit bytes out of a 32-bit word */
|
2022-07-27 19:51:53 +08:00
|
|
|
|
|
|
|
#define UINT8_TA(x) ( (uint8_t) (x>>24) )
|
|
|
|
#define UINT8_TB(x) ( (uint8_t) ((x>>16)&255) )
|
|
|
|
#define UINT8_TC(x) ( (uint8_t) ((x>>8)&255) )
|
|
|
|
#define UINT8_TD(x) ( (uint8_t) ((x)&255) )
|
2022-07-18 15:00:30 +08:00
|
|
|
|
|
|
|
/* Circular left shift */
|
2022-07-27 19:51:53 +08:00
|
|
|
|
2022-07-18 15:00:30 +08:00
|
|
|
#define ROL(x, n) ( ((x)<<(n)) | ((x)>>(32-(n))) )
|
|
|
|
|
|
|
|
/* CAST-128 uses three different round functions */
|
2022-07-27 19:51:53 +08:00
|
|
|
|
2022-07-18 15:00:30 +08:00
|
|
|
#define F1(l, r, i) \
|
2022-07-27 19:51:53 +08:00
|
|
|
t = ROL(key->xkey[i] + r, key->xkey[i+16]); \
|
|
|
|
l ^= ((cast_sbox1[UINT8_TA(t)] ^ cast_sbox2[UINT8_TB(t)]) - \
|
|
|
|
cast_sbox3[UINT8_TC(t)]) + cast_sbox4[UINT8_TD(t)];
|
|
|
|
|
2022-07-18 15:00:30 +08:00
|
|
|
#define F2(l, r, i) \
|
2022-07-27 19:51:53 +08:00
|
|
|
t = ROL(key->xkey[i] ^ r, key->xkey[i+16]); \
|
|
|
|
l ^= ((cast_sbox1[UINT8_TA(t)] - cast_sbox2[UINT8_TB(t)]) + \
|
|
|
|
cast_sbox3[UINT8_TC(t)]) ^ cast_sbox4[UINT8_TD(t)];
|
|
|
|
|
2022-07-18 15:00:30 +08:00
|
|
|
#define F3(l, r, i) \
|
2022-07-27 19:51:53 +08:00
|
|
|
t = ROL(key->xkey[i] - r, key->xkey[i+16]); \
|
|
|
|
l ^= ((cast_sbox1[UINT8_TA(t)] + cast_sbox2[UINT8_TB(t)]) ^ \
|
|
|
|
cast_sbox3[UINT8_TC(t)]) - cast_sbox4[UINT8_TD(t)];
|
2022-07-18 15:00:30 +08:00
|
|
|
|
2022-07-27 19:51:53 +08:00
|
|
|
/****************************************************************************
|
|
|
|
* Public Functions
|
|
|
|
****************************************************************************/
|
2022-07-18 15:00:30 +08:00
|
|
|
|
2022-07-27 19:51:53 +08:00
|
|
|
/* Encryption Function */
|
2022-07-18 15:00:30 +08:00
|
|
|
|
2022-07-27 19:51:53 +08:00
|
|
|
void cast_encrypt(FAR cast_key *key,
|
|
|
|
FAR uint8_t *inblock,
|
|
|
|
FAR uint8_t *outblock)
|
2022-07-18 15:00:30 +08:00
|
|
|
{
|
2022-07-27 19:51:53 +08:00
|
|
|
uint32_t t;
|
|
|
|
uint32_t l;
|
|
|
|
uint32_t r;
|
2022-07-18 15:00:30 +08:00
|
|
|
|
2022-07-27 19:51:53 +08:00
|
|
|
/* Get inblock into l,r */
|
2022-07-18 15:00:30 +08:00
|
|
|
|
2022-07-27 19:51:53 +08:00
|
|
|
l = ((uint32_t)inblock[0] << 24) |
|
|
|
|
((uint32_t)inblock[1] << 16) |
|
|
|
|
((uint32_t)inblock[2] << 8) |
|
|
|
|
(uint32_t)inblock[3];
|
2022-07-18 15:00:30 +08:00
|
|
|
|
2022-07-27 19:51:53 +08:00
|
|
|
r = ((uint32_t)inblock[4] << 24) |
|
|
|
|
((uint32_t)inblock[5] << 16) |
|
|
|
|
((uint32_t)inblock[6] << 8) |
|
|
|
|
(uint32_t)inblock[7];
|
|
|
|
|
|
|
|
/* Do the work */
|
|
|
|
|
|
|
|
F1(l, r, 0);
|
|
|
|
F2(r, l, 1);
|
|
|
|
F3(l, r, 2);
|
|
|
|
F1(r, l, 3);
|
|
|
|
F2(l, r, 4);
|
|
|
|
F3(r, l, 5);
|
|
|
|
F1(l, r, 6);
|
|
|
|
F2(r, l, 7);
|
|
|
|
F3(l, r, 8);
|
|
|
|
F1(r, l, 9);
|
|
|
|
F2(l, r, 10);
|
|
|
|
F3(r, l, 11);
|
|
|
|
|
|
|
|
/* Only do full 16 rounds if key length > 80 bits */
|
|
|
|
|
|
|
|
if (key->rounds > 12)
|
|
|
|
{
|
|
|
|
F1(l, r, 12);
|
|
|
|
F2(r, l, 13);
|
|
|
|
F3(l, r, 14);
|
|
|
|
F1(r, l, 15);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Put l,r into outblock */
|
|
|
|
|
|
|
|
outblock[0] = UINT8_TA(r);
|
|
|
|
outblock[1] = UINT8_TB(r);
|
|
|
|
outblock[2] = UINT8_TC(r);
|
|
|
|
outblock[3] = UINT8_TD(r);
|
|
|
|
outblock[4] = UINT8_TA(l);
|
|
|
|
outblock[5] = UINT8_TB(l);
|
|
|
|
outblock[6] = UINT8_TC(l);
|
|
|
|
outblock[7] = UINT8_TD(l);
|
|
|
|
|
|
|
|
/* Wipe clean */
|
|
|
|
|
|
|
|
t = l = r = 0;
|
2022-07-18 15:00:30 +08:00
|
|
|
}
|
|
|
|
|
2022-07-27 19:51:53 +08:00
|
|
|
/* Decryption Function */
|
|
|
|
|
|
|
|
void cast_decrypt(FAR cast_key *key,
|
|
|
|
FAR uint8_t *inblock,
|
|
|
|
FAR uint8_t *outblock)
|
|
|
|
{
|
|
|
|
uint32_t t;
|
|
|
|
uint32_t l;
|
|
|
|
uint32_t r;
|
|
|
|
|
|
|
|
/* Get inblock into l,r */
|
|
|
|
|
|
|
|
r = ((uint32_t)inblock[0] << 24) |
|
|
|
|
((uint32_t)inblock[1] << 16) |
|
|
|
|
((uint32_t)inblock[2] << 8) |
|
|
|
|
(uint32_t)inblock[3];
|
|
|
|
|
|
|
|
l = ((uint32_t)inblock[4] << 24) |
|
|
|
|
((uint32_t)inblock[5] << 16) |
|
|
|
|
((uint32_t)inblock[6] << 8) |
|
|
|
|
(uint32_t)inblock[7];
|
|
|
|
|
|
|
|
/* Do the work */
|
|
|
|
|
|
|
|
/* Only do full 16 rounds if key length > 80 bits */
|
2022-07-18 15:00:30 +08:00
|
|
|
|
2022-07-27 19:51:53 +08:00
|
|
|
if (key->rounds > 12)
|
|
|
|
{
|
|
|
|
F1(r, l, 15);
|
|
|
|
F3(l, r, 14);
|
|
|
|
F2(r, l, 13);
|
|
|
|
F1(l, r, 12);
|
|
|
|
}
|
2022-07-18 15:00:30 +08:00
|
|
|
|
2022-07-27 19:51:53 +08:00
|
|
|
F3(r, l, 11);
|
|
|
|
F2(l, r, 10);
|
|
|
|
F1(r, l, 9);
|
|
|
|
F3(l, r, 8);
|
|
|
|
F2(r, l, 7);
|
|
|
|
F1(l, r, 6);
|
|
|
|
F3(r, l, 5);
|
|
|
|
F2(l, r, 4);
|
|
|
|
F1(r, l, 3);
|
|
|
|
F3(l, r, 2);
|
|
|
|
F2(r, l, 1);
|
|
|
|
F1(l, r, 0);
|
|
|
|
|
|
|
|
/* Put l,r into outblock */
|
|
|
|
|
|
|
|
outblock[0] = UINT8_TA(l);
|
|
|
|
outblock[1] = UINT8_TB(l);
|
|
|
|
outblock[2] = UINT8_TC(l);
|
|
|
|
outblock[3] = UINT8_TD(l);
|
|
|
|
outblock[4] = UINT8_TA(r);
|
|
|
|
outblock[5] = UINT8_TB(r);
|
|
|
|
outblock[6] = UINT8_TC(r);
|
|
|
|
outblock[7] = UINT8_TD(r);
|
|
|
|
|
|
|
|
/* Wipe clean */
|
|
|
|
|
|
|
|
t = l = r = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Key Schedule */
|
|
|
|
|
|
|
|
void cast_setkey(FAR cast_key *key, FAR uint8_t *rawkey, int keybytes)
|
2022-07-18 15:00:30 +08:00
|
|
|
{
|
2022-07-27 19:51:53 +08:00
|
|
|
uint32_t t[4];
|
|
|
|
uint32_t z[4];
|
|
|
|
uint32_t x[4];
|
|
|
|
int i;
|
|
|
|
|
|
|
|
/* Set number of rounds to 12 or 16, depending on key length */
|
|
|
|
|
|
|
|
key->rounds = (keybytes <= 10 ? 12 : 16);
|
|
|
|
|
|
|
|
/* Copy key to workspace x */
|
|
|
|
|
|
|
|
for (i = 0; i < 4; i++)
|
|
|
|
{
|
|
|
|
x[i] = 0;
|
|
|
|
if ((i * 4 + 0) < keybytes)
|
|
|
|
{
|
|
|
|
x[i] = (uint32_t)rawkey[i * 4 + 0] << 24;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((i * 4 + 1) < keybytes)
|
|
|
|
{
|
|
|
|
x[i] |= (uint32_t)rawkey[i * 4 + 1] << 16;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((i * 4 + 2) < keybytes)
|
|
|
|
{
|
|
|
|
x[i] |= (uint32_t)rawkey[i * 4 + 2] << 8;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((i * 4 + 3) < keybytes)
|
|
|
|
{
|
|
|
|
x[i] |= (uint32_t)rawkey[i * 4 + 3];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Generate 32 subkeys, four at a time */
|
|
|
|
|
|
|
|
for (i = 0; i < 32; i += 4)
|
|
|
|
{
|
|
|
|
switch (i & 4)
|
|
|
|
{
|
|
|
|
case 0:
|
|
|
|
t[0] = z[0] = x[0] ^ cast_sbox5[UINT8_TB(x[3])] ^
|
|
|
|
cast_sbox6[UINT8_TD(x[3])] ^
|
|
|
|
cast_sbox7[UINT8_TA(x[3])] ^
|
|
|
|
cast_sbox8[UINT8_TC(x[3])] ^
|
|
|
|
cast_sbox7[UINT8_TA(x[2])];
|
|
|
|
t[1] = z[1] = x[2] ^ cast_sbox5[UINT8_TA(z[0])] ^
|
|
|
|
cast_sbox6[UINT8_TC(z[0])] ^
|
|
|
|
cast_sbox7[UINT8_TB(z[0])] ^
|
|
|
|
cast_sbox8[UINT8_TD(z[0])] ^
|
|
|
|
cast_sbox8[UINT8_TC(x[2])];
|
|
|
|
t[2] = z[2] = x[3] ^ cast_sbox5[UINT8_TD(z[1])] ^
|
|
|
|
cast_sbox6[UINT8_TC(z[1])] ^
|
|
|
|
cast_sbox7[UINT8_TB(z[1])] ^
|
|
|
|
cast_sbox8[UINT8_TA(z[1])] ^
|
|
|
|
cast_sbox5[UINT8_TB(x[2])];
|
|
|
|
t[3] = z[3] = x[1] ^ cast_sbox5[UINT8_TC(z[2])] ^
|
|
|
|
cast_sbox6[UINT8_TB(z[2])] ^
|
|
|
|
cast_sbox7[UINT8_TD(z[2])] ^
|
|
|
|
cast_sbox8[UINT8_TA(z[2])] ^
|
|
|
|
cast_sbox6[UINT8_TD(x[2])];
|
|
|
|
break;
|
|
|
|
case 4:
|
|
|
|
t[0] = x[0] = z[2] ^ cast_sbox5[UINT8_TB(z[1])] ^
|
|
|
|
cast_sbox6[UINT8_TD(z[1])] ^
|
|
|
|
cast_sbox7[UINT8_TA(z[1])] ^
|
|
|
|
cast_sbox8[UINT8_TC(z[1])] ^
|
|
|
|
cast_sbox7[UINT8_TA(z[0])];
|
|
|
|
t[1] = x[1] = z[0] ^ cast_sbox5[UINT8_TA(x[0])] ^
|
|
|
|
cast_sbox6[UINT8_TC(x[0])] ^
|
|
|
|
cast_sbox7[UINT8_TB(x[0])] ^
|
|
|
|
cast_sbox8[UINT8_TD(x[0])] ^
|
|
|
|
cast_sbox8[UINT8_TC(z[0])];
|
|
|
|
t[2] = x[2] = z[1] ^ cast_sbox5[UINT8_TD(x[1])] ^
|
|
|
|
cast_sbox6[UINT8_TC(x[1])] ^
|
|
|
|
cast_sbox7[UINT8_TB(x[1])] ^
|
|
|
|
cast_sbox8[UINT8_TA(x[1])] ^
|
|
|
|
cast_sbox5[UINT8_TB(z[0])];
|
|
|
|
t[3] = x[3] = z[3] ^ cast_sbox5[UINT8_TC(x[2])] ^
|
|
|
|
cast_sbox6[UINT8_TB(x[2])] ^
|
|
|
|
cast_sbox7[UINT8_TD(x[2])] ^
|
|
|
|
cast_sbox8[UINT8_TA(x[2])] ^
|
|
|
|
cast_sbox6[UINT8_TD(z[0])];
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (i & 12)
|
|
|
|
{
|
|
|
|
case 0:
|
|
|
|
case 12:
|
|
|
|
key->xkey[i + 0] = cast_sbox5[UINT8_TA(t[2])] ^
|
|
|
|
cast_sbox6[UINT8_TB(t[2])] ^
|
|
|
|
cast_sbox7[UINT8_TD(t[1])] ^
|
|
|
|
cast_sbox8[UINT8_TC(t[1])];
|
|
|
|
key->xkey[i + 1] = cast_sbox5[UINT8_TC(t[2])] ^
|
|
|
|
cast_sbox6[UINT8_TD(t[2])] ^
|
|
|
|
cast_sbox7[UINT8_TB(t[1])] ^
|
|
|
|
cast_sbox8[UINT8_TA(t[1])];
|
|
|
|
key->xkey[i + 2] = cast_sbox5[UINT8_TA(t[3])] ^
|
|
|
|
cast_sbox6[UINT8_TB(t[3])] ^
|
|
|
|
cast_sbox7[UINT8_TD(t[0])] ^
|
|
|
|
cast_sbox8[UINT8_TC(t[0])];
|
|
|
|
key->xkey[i + 3] = cast_sbox5[UINT8_TC(t[3])] ^
|
|
|
|
cast_sbox6[UINT8_TD(t[3])] ^
|
|
|
|
cast_sbox7[UINT8_TB(t[0])] ^
|
|
|
|
cast_sbox8[UINT8_TA(t[0])];
|
|
|
|
break;
|
|
|
|
case 4:
|
|
|
|
case 8:
|
|
|
|
key->xkey[i + 0] = cast_sbox5[UINT8_TD(t[0])] ^
|
|
|
|
cast_sbox6[UINT8_TC(t[0])] ^
|
|
|
|
cast_sbox7[UINT8_TA(t[3])] ^
|
|
|
|
cast_sbox8[UINT8_TB(t[3])];
|
|
|
|
key->xkey[i + 1] = cast_sbox5[UINT8_TB(t[0])] ^
|
|
|
|
cast_sbox6[UINT8_TA(t[0])] ^
|
|
|
|
cast_sbox7[UINT8_TC(t[3])] ^
|
|
|
|
cast_sbox8[UINT8_TD(t[3])];
|
|
|
|
key->xkey[i + 2] = cast_sbox5[UINT8_TD(t[1])] ^
|
|
|
|
cast_sbox6[UINT8_TC(t[1])] ^
|
|
|
|
cast_sbox7[UINT8_TA(t[2])] ^
|
|
|
|
cast_sbox8[UINT8_TB(t[2])];
|
|
|
|
key->xkey[i + 3] = cast_sbox5[UINT8_TB(t[1])] ^
|
|
|
|
cast_sbox6[UINT8_TA(t[1])] ^
|
|
|
|
cast_sbox7[UINT8_TC(t[2])] ^
|
|
|
|
cast_sbox8[UINT8_TD(t[2])];
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (i & 12)
|
|
|
|
{
|
|
|
|
case 0:
|
|
|
|
key->xkey[i + 0] ^= cast_sbox5[UINT8_TC(z[0])];
|
|
|
|
key->xkey[i + 1] ^= cast_sbox6[UINT8_TC(z[1])];
|
|
|
|
key->xkey[i + 2] ^= cast_sbox7[UINT8_TB(z[2])];
|
|
|
|
key->xkey[i + 3] ^= cast_sbox8[UINT8_TA(z[3])];
|
|
|
|
break;
|
|
|
|
case 4:
|
|
|
|
key->xkey[i + 0] ^= cast_sbox5[UINT8_TA(x[2])];
|
|
|
|
key->xkey[i + 1] ^= cast_sbox6[UINT8_TB(x[3])];
|
|
|
|
key->xkey[i + 2] ^= cast_sbox7[UINT8_TD(x[0])];
|
|
|
|
key->xkey[i + 3] ^= cast_sbox8[UINT8_TD(x[1])];
|
|
|
|
break;
|
|
|
|
case 8:
|
|
|
|
key->xkey[i + 0] ^= cast_sbox5[UINT8_TB(z[2])];
|
|
|
|
key->xkey[i + 1] ^= cast_sbox6[UINT8_TA(z[3])];
|
|
|
|
key->xkey[i + 2] ^= cast_sbox7[UINT8_TC(z[0])];
|
|
|
|
key->xkey[i + 3] ^= cast_sbox8[UINT8_TC(z[1])];
|
|
|
|
break;
|
|
|
|
case 12:
|
|
|
|
key->xkey[i + 0] ^= cast_sbox5[UINT8_TD(x[0])];
|
|
|
|
key->xkey[i + 1] ^= cast_sbox6[UINT8_TD(x[1])];
|
|
|
|
key->xkey[i + 2] ^= cast_sbox7[UINT8_TA(x[2])];
|
|
|
|
key->xkey[i + 3] ^= cast_sbox8[UINT8_TB(x[3])];
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (i >= 16)
|
|
|
|
{
|
|
|
|
key->xkey[i + 0] &= 31;
|
|
|
|
key->xkey[i + 1] &= 31;
|
|
|
|
key->xkey[i + 2] &= 31;
|
|
|
|
key->xkey[i + 3] &= 31;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Wipe clean */
|
|
|
|
|
|
|
|
explicit_bzero(t, sizeof(t));
|
|
|
|
explicit_bzero(x, sizeof(x));
|
|
|
|
explicit_bzero(z, sizeof(z));
|
2022-07-18 15:00:30 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Made in Canada */
|